CSP标头失败,并显示“拒绝应用内联样式...".但我已经添加了哈希 [英] CSP header fails with "Refused to apply inline style..." but I have already added the hash
问题描述
获取
拒绝,因为它违反了以下内容安全策略指令适用内嵌样式:"风格-src的 '自我' 'SHA256-UTjtaAWWTyzFjRKbltk24jHijlTbP20C1GUYaWPqg7E =' 'SHA256-lAjyGSIzNSfpcl56itQltlKnBClAWcbXqXwsWgwPBDM =' 'SHA256-IQ1w928Id2I18HopWjf2QH1yWRabHjMmdIigddkJsjk ='sha256- gx2qS9lINA9HjEhSBFaGgUjlVL1GCqJxyGoHpGODeo8 =' 'SHA256-nFZFLbV913URty3kcgmuV3NUKJUM9TYhEZ + OkHy6DxU =' 'SHA256-xfnLUXCYTisGE0l0rOaR + OgO5EG + uV25p4QNcjB5dWg =' 'SHA256-TUXjxBhzs16 + YXaJCnt/+ EyyEldkUoAz/SvQCm05hFw =' 斑点:" ;.要么使用'unsafe-inline'关键字,要么使用一个哈希('sha256-gx2qS9lINA9HjEhSBFaGgUjlVL1GCqJxyGoHpGODeo8 =')或一个随机数('nonce -...')来启用内联执行.
Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'sha256-UTjtaAWWTyzFjRKbltk24jHijlTbP20C1GUYaWPqg7E=' 'sha256-lAjyGSIzNSfpcl56itQltlKnBClAWcbXqXwsWgwPBDM=' 'sha256-IQ1w928Id2I18HopWjf2QH1yWRabHjMmdIigddkJsjk=' 'sha256-gx2qS9lINA9HjEhSBFaGgUjlVL1GCqJxyGoHpGODeo8=' 'sha256-nFZFLbV913URty3kcgmuV3NUKJUM9TYhEZ+OkHy6DxU=' 'sha256-xfnLUXCYTisGE0l0rOaR+OgO5EG+uV25p4QNcjB5dWg=' 'sha256-TUXjxBhzs16+YXaJCnt/+EyyEldkUoAz/SvQCm05hFw=' blob:". Either the 'unsafe-inline' keyword, a hash ('sha256-gx2qS9lINA9HjEhSBFaGgUjlVL1GCqJxyGoHpGODeo8='), or a nonce ('nonce-...') is required to enable inline execution.
但是请注意,它已经要我添加的哈希值已经存在.
Note however, that the hash it wants me to add, is already present.
使用最新的Chrome.
Using the latest Chrome.
我的CSP标头有什么问题?
What is the problem with my CSP header?
推荐答案
您被一个棘手的方式抓住了.内联样式有2种:
You was catched by a tricky way. There is 2 kinds of inline styles:
- <样式> ...< /style> -支持'hash-value'令牌
- <标记样式='...'> -不支持'哈希值'标记
- < style>...< /style> - supports 'hash-value' token
- < tag style='...'> - does not support 'hash-value' token
但是Chrome会为这两个值计算sha256值,因为它准备支持'不安全哈希'令牌(但尚未实现是已实现,抱歉).
Chrome的控制台消息在以上两种样式之间没有区别,都被认为是内联的.
But Chrome counts sha256 values for both of those, because it prepares to support 'unsafe-hashes' token (but not implemented it yet is is implemented, sorry).
Chrome's console messages have not differences between both of above styles, all considered as inline.
因此,您在HTML代码中的某个地方在标记中有一个内联样式(第2段). Chrome为此计算了sha256哈希,并在控制台中发出了警告.您可以将此哈希添加到CSP,但仍会发出警告,因为代码中的样式已被阻止-不能通过'hash-value'来允许.
So you have somewhere in HTML-code an inline style in the tag (para 2). Chrome counted sha256 hash for it and fired a warn in the console. You add this hash to the CSP but still have a warning, because style in the tag have blocked - it could not be allowed via 'hash-value'.
这篇关于CSP标头失败,并显示“拒绝应用内联样式...".但我已经添加了哈希的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
